ShellCheck for various helper bash scripts

.cirrus.yml

@@ -7,11 +7,13 @@ task:
   # Use the maximum timeout. Needed when rebuilding packages on a channel update.
   timeout_in: 120m
 
+  container:
+    # Defined in https://github.com/nix-community/docker-nixpkgs
+    image: nixpkgs/nix-flakes:nixos-22.05
+
   matrix:
     - name: modules_test
       container:
-        # Use Nix release 2.3.x, the default on NixOS stable
-        image: nixos/nix:2.3.12
         # Besides virtualization, this also enables privileged containers which are required for
         # sandboxed builds
         kvm: true
@@ -28,12 +30,13 @@ task:
       # This script is run as root
       build_script:
         - echo "sandbox = true" >> /etc/nix/nix.conf
-        - export NIX_PATH="nixpkgs=$(nix eval --raw -f pkgs/nixpkgs-pinned.nix nixpkgs)"
-        - nix run -f '<nixpkgs>' bash coreutils cachix -c ./test/ci/build.sh
+        - nix shell --inputs-from . nixpkgs#{bash,coreutils,gawk,cachix} -c ./test/ci/build.sh
 
     - name: flake
-      container:
-        image: nixpkgs/nix-flakes
       build_script:
         - nix flake check
         - ./test/nixos-search/ci-test.sh
+
+    - name: shellcheck
+      build_script:
+        - nix shell --inputs-from . nixpkgs#{shellcheck,findutils,gnugrep} -c ./test/shellcheck.sh

examples/deploy-container-minimal.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -euo pipefail
 
 if [[ ! -v NIX_BITCOIN_EXAMPLES_DIR ]]; then
     echo "Running script in nix shell env..."
@@ -9,16 +10,16 @@ else
 fi
 
 tmpDir=$(mktemp -d /tmp/nix-bitcoin-minimal-container.XXX)
-trap "rm -rf $tmpDir" EXIT
+trap 'rm -rf $tmpDir' EXIT
 
 # Modify importable-configuration.nix to use the local <nix-bitcoin>
 # source instead of fetchTarball
 <importable-configuration.nix sed '
   s|nix-bitcoin = .*|nix-bitcoin = toString <nix-bitcoin>;|;
   s|system.extraDependencies = .*||
-' > $tmpDir/importable-configuration.nix
+' > "$tmpDir/importable-configuration.nix"
 
-cat > $tmpDir/configuration.nix <<EOF
+cat > "$tmpDir/configuration.nix" <<EOF
   {
     imports = [ $tmpDir/importable-configuration.nix ];
     users.users.main = {
@@ -30,4 +31,4 @@ cat > $tmpDir/configuration.nix <<EOF
   }
 EOF
 
-"${BASH_SOURCE[0]%/*}/deploy-container.sh" $tmpDir/configuration.nix "$@"
+"${BASH_SOURCE[0]%/*}/deploy-container.sh" "$tmpDir/configuration.nix" "$@"

examples/deploy-container.sh

@@ -75,7 +75,7 @@ fi
 # Build container.
 # Learn more: https://github.com/erikarvstedt/extra-container
 #
-read -d '' src <<EOF || true
+read -rd '' src <<EOF || true
 { pkgs, lib, ... }: {
   containers.demo-node = {
     extra.addressPrefix = "10.250.0";

examples/deploy-krops.sh

@@ -24,7 +24,7 @@ source qemu-vm/run-vm.sh
 
 echo "Building the target VM"
 # Build the initial VM to which the nix-bitcoin node is deployed via krops
-nix-build --out-link $tmpDir/vm - <<'EOF'
+nix-build --out-link "$tmpDir/vm" - <<'EOF'
 (import <nixpkgs/nixos> {
   configuration = { config, lib, ... }: {
     imports = [ <qemu-vm/vm-config.nix>  ];
@@ -43,11 +43,11 @@ vmNumCPUs=4
 vmMemoryMiB=2048
 sshPort=60734
 # Start the VM in the background
-runVM $tmpDir/vm $vmNumCPUs $vmMemoryMiB $sshPort
+runVM "$tmpDir/vm" "$vmNumCPUs" "$vmMemoryMiB" "$sshPort"
 
 # Build the krops deploy script
 export sshPort
-nix-build --out-link $tmpDir/krops-deploy - <<'EOF'
+nix-build --out-link "$tmpDir/krops-deploy" - <<'EOF'
 let
   krops = (import <nix-bitcoin> {}).krops;
 
@@ -85,7 +85,7 @@ EOF
 
 echo "Building the nix-bitcoin node"
 # Pre-build the nix-bitcoin node outside of the VM to save some time
-nix-build --out-link $tmpDir/store-paths -E '
+nix-build --out-link "$tmpDir/store-paths" -E '
 let
   system = (import <nixpkgs/nixos> { configuration = <krops-vm-configuration.nix>; }).system;
   pkgsUnstable = (import <nix-bitcoin/pkgs/nixpkgs-pinned.nix>).nixpkgs-unstable;
@@ -98,15 +98,15 @@ vmWaitForSSH
 
 # Add the store paths that include the nix-bitcoin node
 # to the nix store db in the VM
-c "nix-store --load-db < $(realpath $tmpDir/store-paths)/registration"
+c "nix-store --load-db < $(realpath "$tmpDir/store-paths")/registration"
 
 echo
 echo "Generate secrets"
 nix-shell --run generate-secrets
 
 echo
 echo "Deploy with krops"
-$tmpDir/krops-deploy
+"$tmpDir/krops-deploy"
 
 echo
 echo "Bitcoind service:"

examples/deploy-qemu-vm.sh

@@ -22,7 +22,7 @@ fi
 source qemu-vm/run-vm.sh
 
 echo "Building VM"
-nix-build --out-link $tmpDir/vm - <<'EOF'
+nix-build --out-link "$tmpDir/vm" - <<'EOF'
 (import <nixpkgs/nixos> {
   configuration = {
     imports = [
@@ -37,7 +37,7 @@ EOF
 vmNumCPUs=4
 vmMemoryMiB=2048
 sshPort=60734
-runVM $tmpDir/vm $vmNumCPUs $vmMemoryMiB $sshPort
+runVM "$tmpDir/vm" "$vmNumCPUs" "$vmMemoryMiB" "$sshPort"
 
 vmWaitForSSH
 printf "Waiting until services are ready"

examples/qemu-vm/run-vm.sh

@@ -1,32 +1,34 @@
 qemuDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
 
+# shellcheck disable=SC1091
 source "$qemuDir/wait-until.sh"
 
 tmpDir=/tmp/nix-bitcoin-qemu-vm
-mkdir -p $tmpDir
+mkdir -p "$tmpDir"
 
 # Cleanup on exit
 cleanup() {
     set +eu
     if [[ $qemuPID ]]; then
-        kill -9 $qemuPID
+        kill -9 "$qemuPID"
     fi
-    rm -rf $tmpDir
+    rm -rf "$tmpDir"
 }
 trap "cleanup" EXIT
 
 identityFile=$qemuDir/id-vm
-chmod 0600 $identityFile
+chmod 0600 "$identityFile"
 
 runVM() {
     vm=$1
     vmNumCPUs=$2
     vmMemoryMiB=$3
     sshPort=$4
 
-    export NIX_DISK_IMAGE=$tmpDir/img
-    export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
-    </dev/null $vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
+    export NIX_DISK_IMAGE="$tmpDir/img"
+    export QEMU_NET_OPTS="hostfwd=tcp::${sshPort}-:22"
+    # shellcheck disable=SC2211
+    </dev/null "$vm"/bin/run-*-vm -m "$vmMemoryMiB" -smp "$vmNumCPUs" &>/dev/null &
     qemuPID=$!
 }
 
@@ -39,7 +41,7 @@ vmWaitForSSH() {
 
 # Run command in VM
 c() {
-    ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
+    ssh -p "$sshPort" -i "$identityFile" -o ConnectTimeout=1 \
         -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
         -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
         root@127.0.0.1 "$@"

examples/start-bash-session.sh

@@ -11,6 +11,8 @@ c systemctl status bitcoind
 
 # BASH_ENVIRONMENT contains definitions of read-only variables like 'BASHOPTS' that
 # cause warnings on evaluation. Suppress these warnings while sourcing.
+#
+# shellcheck disable=SC2016
 BASH_ENVIRONMENT=<(declare -p; declare -pf) \
 USAGE_INFO="$USAGE_INFO" \
   bash --rcfile <(echo '

helper/fetch-release

@@ -12,10 +12,10 @@ if [[ ! -v version ]]; then
 fi
 
 TMPDIR=$(mktemp -d)
-trap "rm -rf $TMPDIR" EXIT
+trap 'rm -rf $TMPDIR' EXIT
 
 export GNUPGHOME=$TMPDIR/gpg-home
-mkdir -p -m 700 "$GNUPGHOME"
+mkdir -m 700 "$GNUPGHOME"
 
 # Import key
 gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
@@ -25,10 +25,10 @@ gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
 gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
 
 # Fetch nar-hash of release
-cd $TMPDIR
+cd "$TMPDIR"
 baseUrl=https://github.com/$repo/releases/download/v$version
-curl -fsS -L -O $baseUrl/nar-hash.txt
-curl -fsS -L -O $baseUrl/nar-hash.txt.asc
+curl -fsS -L -O "$baseUrl/nar-hash.txt"
+curl -fsS -L -O "$baseUrl/nar-hash.txt.asc"
 
 # Verify signature for nar-hash
 gpg --verify nar-hash.txt.asc &> /dev/null || {

helper/push-release.sh

@@ -37,11 +37,11 @@ fi
 cd "${BASH_SOURCE[0]%/*}"
 
 RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
-echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2)
+echo "Latest release" "$(echo "$RESPONSE" | jq -r '.tag_name' | tail -c +2)"
 
 if [[ ! $DRY_RUN ]]; then
    while true; do
-       read -p "Create release $TAG_NAME? [yn] " yn
+       read -rp "Create release ${TAG_NAME}? [yn] " yn
        case $yn in
            [Yy]* ) break;;
            [Nn]* ) exit;;
@@ -51,22 +51,22 @@ if [[ ! $DRY_RUN ]]; then
 fi
 
 TMPDIR=$(mktemp -d)
-if [[ ! $DRY_RUN ]]; then trap "rm -rf $TMPDIR" EXIT; fi
+if [[ ! $DRY_RUN ]]; then trap 'rm -rf $TMPDIR' EXIT; fi
 ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
 ARCHIVE=$TMPDIR/$ARCHIVE_NAME
 
 # Need to be in the repo root directory for archiving
-(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH)
+(cd "$(git rev-parse --show-toplevel)"; git archive --format=tar.gz -o "$ARCHIVE" "$BRANCH")
 
 SHA256SUMS=$TMPDIR/SHA256SUMS.txt
 # Use relative path with sha256sums because it'll output the first
 # argument
-(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
-gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
+(cd "$TMPDIR"; sha256sum "$ARCHIVE_NAME" > "$SHA256SUMS")
+gpg -o "$SHA256SUMS.asc" -a --detach-sig "$SHA256SUMS"
 
-pushd $TMPDIR >/dev/null
+pushd "$TMPDIR" >/dev/null
 
-nix hash to-sri --type sha256 $(nix-prefetch-url --unpack file://$ARCHIVE 2> /dev/null) > nar-hash.txt
+nix hash to-sri --type sha256 "$(nix-prefetch-url --unpack "file://$ARCHIVE" 2> /dev/null)" > nar-hash.txt
 gpg -o nar-hash.txt.asc -a --detach-sig nar-hash.txt
 
 if [[ $DRY_RUN ]]; then
@@ -76,7 +76,7 @@ fi
 
 POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
 RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
-ID=$(echo $RESPONSE | jq -r '.id')
+ID=$(echo "$RESPONSE" | jq -r '.id')
 if [[ $ID == null ]]; then
     echo "Failed to create release with $POST_DATA"
     exit 1
@@ -85,20 +85,20 @@ fi
 post_asset() {
     GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
     curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
-         $GH_ASSET/$(basename $1) &> /dev/null
+         "$GH_ASSET/$(basename "$1")" &> /dev/null
 }
 post_asset nar-hash.txt
 post_asset nar-hash.txt.asc
 # Post additional assets for backwards compatibility.
 # This allows older nix-bitcoin installations to upgrade via `fetch-release`.
-post_asset $ARCHIVE
-post_asset $SHA256SUMS
-post_asset $SHA256SUMS.asc
+post_asset "$ARCHIVE"
+post_asset "$SHA256SUMS"
+post_asset "$SHA256SUMS.asc"
 
 popd >/dev/null
 
 if [[ ! $DRY_RUN ]]; then
-    git push $GIT_REMOTE $BRANCH:release
+    git push "$GIT_REMOTE" "${BRANCH}:release"
 fi
 
-echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name)
+echo "Successfully created" "$(echo "$POST_DATA" | jq -r .tag_name)"

helper/update-fixed-output-derivation.sh

@@ -7,10 +7,10 @@ flakeOutput=$2
 # A pattern in a line preceding the hash that should be updated
 patternPrecedingHash=$3
 
-sed -i "/$patternPrecedingHash/,/hash/ s|hash = .*|hash = \"\";|" $file
+sed -i "/$patternPrecedingHash/,/hash/ s|hash = .*|hash = \"\";|" "$file"
 # Display stderr and capture it. stdbuf is required to disable output buffering.
 stderr=$(
-    nix build --no-link -L .#$flakeOutput |&
+    nix build --no-link -L ".#$flakeOutput" |&
       stdbuf -oL grep -v '\berror:.*failed to build$' |
       tee /dev/stderr || :
 )
@@ -20,5 +20,5 @@ if [[ ! $hash ]]; then
     echo "Error: No hash in build output."
     exit 1
 fi
-sed -i "/$patternPrecedingHash/,/hash/ s|hash = .*|hash = \"$hash\";|" $file
+sed -i "/$patternPrecedingHash/,/hash/ s|hash = .*|hash = \"$hash\";|" "$file"
 echo "(Note: The above hash mismatch message is not an error. It is part of the fetching process.)"

pkgs/clightning-plugins/get-sha256.sh

@@ -11,4 +11,4 @@ archive_hash () {
 echo "Fetching latest lightningd/plugins release"
 latest=$(git ls-remote https://github.com/lightningd/plugins master | cut -f 1)
 echo "rev = \"${latest}\";"
-echo "sha256 = \"$(archive_hash lightningd/plugins $latest)\";"
+echo "sha256 = \"$(archive_hash lightningd/plugins "$latest")\";"

pkgs/clightning-rest/generate.sh

@@ -8,18 +8,18 @@ repo=https://github.com/Ride-The-Lightning/c-lightning-REST
 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
 
 updateSrc() {
-    TMPDIR="$(mktemp -d /tmp/clightning-rest.XXX)"
-    trap "rm -rf $TMPDIR" EXIT
+    TMPDIR=$(mktemp -d /tmp/clightning-rest.XXX)
+    trap 'rm -rf $TMPDIR' EXIT
 
     # Fetch and verify source tarball
     export GNUPGHOME=$TMPDIR
     # Fetch saubyk's key
     gpg --keyserver hkps://keyserver.ubuntu.com --recv-key 3E9BD4436C288039CA827A9200C9E2BC2E45666F
     file=v${version}.tar.gz
-    wget -P $TMPDIR $repo/archive/refs/tags/$file
-    wget -P $TMPDIR $repo/releases/download/v${version}/$file.asc
-    gpg --verify $TMPDIR/$file.asc $TMPDIR/$file
-    hash=$(nix hash file $TMPDIR/$file)
+    wget -P "$TMPDIR" "${repo}/archive/refs/tags/${file}"
+    wget -P "$TMPDIR" "${repo}/releases/download/v${version}/${file}.asc"
+    gpg --verify "${TMPDIR}/${file}.asc" "${TMPDIR}/${file}"
+    hash=$(nix hash file "${TMPDIR}/${file}")
 
     sed -i "
       s|\bversion = .*;|version = \"$version\";|
@@ -28,13 +28,13 @@ updateSrc() {
 }
 
 updateNodeModulesHash() {
-    $scriptDir/../../helper/update-fixed-output-derivation.sh ./default.nix clightning-rest.nodeModules nodeModules
+    "$scriptDir/../../helper/update-fixed-output-derivation.sh" ./default.nix clightning-rest.nodeModules nodeModules
 }
 
 if [[ $# == 0 ]]; then
     # Each of these can be run separately
     updateSrc
     updateNodeModulesHash
 else
-    eval "$@"
+    "$@"
 fi